Fake Google Security site uses PWA app to steal credentials, MFA codes
Source: Bleeping Computer
A phishing campaign is using a fake Google Account security page to deliver a web‑based app capable of stealing one‑time passcodes, harvesting cryptocurrency wallet addresses, and proxying attacker traffic through victims’ browsers.
The attack leverages Progressive Web App (PWA) features and social engineering to deceive users into believing they are interacting with a legitimate Google Security web page and inadvertently installing the malware.
PWAs run in the browser and can be installed from a website, just like a standalone regular application. Once installed they are displayed in their own window without any visible browser controls.
Victim browser becomes attacker’s proxy
The campaign relies on social engineering to obtain the necessary permissions from the user under the guise of a security check and “increased protection” for devices.
- The cybercriminals use the domain google‑prism[.]com, which poses as a legitimate security‑related service from Google.
- The site shows a four‑step setup process that includes granting risky permissions and installing a malicious PWA app.
- In some instances the site also promotes a companion Android app to “protect” contacts.
According to researchers at Malwarebytes, the PWA can exfiltrate:
- Contacts
- Real‑time GPS data
- Clipboard contents
Additional functionality observed includes:
- Acting as a network proxy
- Internal port scanning (allowing the attacker to route requests through the victim’s browser and identify live hosts on the network)
The website also requests permission to access text and images copied to the clipboard – a capability that works only while the app is open.
Fake Google security site asking for clipboard access
source: BleepingComputer
The fake site also asks for permission to show notifications, which lets the attacker push alerts, create fake tasks, or trigger data exfiltration.
Furthermore, the malware uses the WebOTP API on supported browsers to intercept SMS verification codes and checks the /api/heartbeat endpoint every 30 seconds for new commands.
Because the PWA can steal clipboard contents and OTP codes only when it is open, notifications are used to send fake security alerts that prompt the user to reopen the PWA.
Fake Google security site asks for notifications permission
source: BleepingComputer
Malwarebytes says the primary goal is stealing one‑time passwords (OTP) and cryptocurrency wallet addresses, and that the malware also “builds a detailed device fingerprint.”
Another component in the malicious PWA is a service worker that:
- Handles push notifications
- Executes tasks from received payloads
- Prepares stolen data locally for exfiltration
The most concerning component, according to the researchers, is the WebSocket relay that allows the attacker to pass web requests through the browser as if they originated from the victim’s network:
“The malware acts as an HTTP proxy, executing fetch requests with whatever method, headers, credentials, and body the attacker specifies, then returns the full response including headers.” – Malwarebytes
Because the worker includes a handler for Periodic Background Sync (a Chromium feature that lets web apps synchronize data in the background), the attacker can maintain access to a compromised device for as long as the malicious PWA remains installed.
Malware Android companion
Users who enable all the “security features” for their account are offered an APK that promises to extend protection to their contacts.
Fake security checks
source: BleepingComputer
The payload is described as a “critical security update,” claims to be verified by Google, and requests 33 permissions, including:
- SMS access
- Call logs
- Microphone
- Contacts
- Accessibility service
These high‑risk permissions enable data theft, full device compromise, and financial fraud.
The malicious APK contains multiple components, such as:
- A custom keyboard to capture keystrokes
- A notification listener for access to incoming notifications
- A service to intercept automatically‑filled credentials
To enhance persistence, the APK:
- Registers as a device administrator (making removal harder)
- Sets a boot receiver to execute on startup
- Schedules alarms to restart components if terminated
Malwarebytes also observed components that could be used for overlay‑based attacks, indicating plans for credential phishing in certain apps.
By combining legitimate browser features with social engineering, the attacker does not need to exploit any vulnerability; they simply trick the victim into granting all required permissions.
The researchers warn that even if the Android APK is not installed, the web app can still:
- Collect contacts
- Intercept OTPs
- Track location
- Scan internal networks
- Proxy traffic through the victim’s device
Important reminder: Google never runs security checks through pop‑ups on web pages, nor does it request any software installation for enhanced protection features. All security tools are available through the Google Account portal at .
Removal
- To remove the malicious APK, Malwarebytes recommends looking for a “Security Check” entry in the list of installed apps and uninstalling it first.
- If an app called “System Service” with a suspicious package name is present, it is likely part of this payload and should be removed as well.
This article is based on the Malwarebytes research titled “Inside a fake Google security check that becomes a browser RAT.”
Device Administrator Issue
The app com.device.sync is present and has device‑administrator access. Users should revoke its permissions under Settings > Security > Device admin apps and then uninstall it.
Removal of the Malicious Web App
Malwarebytes researchers also provide detailed steps for removing the malicious web app from:
- Chromium‑based browsers on Windows (e.g., Google Chrome, Microsoft Edge)
- Safari
Browser‑Specific Behavior
On Firefox and Safari, many of the malicious app’s capabilities are severely restricted, but push notifications still work.
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use mathematics to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to discover the top 10 techniques and see whether your security stack is blinded.